Analysis
-
max time kernel
96s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-12-2022 19:28
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_29-12-2022_17-21-18.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Setup_Win_29-12-2022_17-21-18.msi
Resource
win10v2004-20220812-en
General
-
Target
Setup_Win_29-12-2022_17-21-18.msi
-
Size
772KB
-
MD5
37d819630a3536847fd4617c661695e2
-
SHA1
134da7d0bbda94b054cb20cd9f6e759cd010c166
-
SHA256
38a68c48a2cb002af6c7bd36412ce920202e04c5ef73d7ea58a1303122142891
-
SHA512
47b5aed5ae382b56d3197c3ca53a5bfe55fc9f9c4be3b5503daac2223261373ae1e791e7dc3823365460f2df16a9ee72bfa358a21ebb46bf5597f72949da2165
-
SSDEEP
12288:ewHL0DpxMX/wg4ZqU0UmmhtNOOdpxoPcrDnS34y9RPF8L:XHL0EvwglMtNjjoGS3bRPF8L
Malware Config
Extracted
icedid
2957048208
whothitheka.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 1512 rundll32.exe 4 1512 rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1996 MsiExec.exe 1648 rundll32.exe 1512 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
msiexec.exerundll32.exeDrvInst.exedescription ioc process File created C:\Windows\Installer\6c8a95.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8CA7.tmp msiexec.exe File created C:\Windows\Installer\6c8a97.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8DA3.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\6c8a95.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8DA3.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\6c8a94.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8DA3.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI8DA3.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\6c8a94.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8DA3.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 892 msiexec.exe 892 msiexec.exe 1512 rundll32.exe 1512 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1324 msiexec.exe Token: SeIncreaseQuotaPrivilege 1324 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeSecurityPrivilege 892 msiexec.exe Token: SeCreateTokenPrivilege 1324 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1324 msiexec.exe Token: SeLockMemoryPrivilege 1324 msiexec.exe Token: SeIncreaseQuotaPrivilege 1324 msiexec.exe Token: SeMachineAccountPrivilege 1324 msiexec.exe Token: SeTcbPrivilege 1324 msiexec.exe Token: SeSecurityPrivilege 1324 msiexec.exe Token: SeTakeOwnershipPrivilege 1324 msiexec.exe Token: SeLoadDriverPrivilege 1324 msiexec.exe Token: SeSystemProfilePrivilege 1324 msiexec.exe Token: SeSystemtimePrivilege 1324 msiexec.exe Token: SeProfSingleProcessPrivilege 1324 msiexec.exe Token: SeIncBasePriorityPrivilege 1324 msiexec.exe Token: SeCreatePagefilePrivilege 1324 msiexec.exe Token: SeCreatePermanentPrivilege 1324 msiexec.exe Token: SeBackupPrivilege 1324 msiexec.exe Token: SeRestorePrivilege 1324 msiexec.exe Token: SeShutdownPrivilege 1324 msiexec.exe Token: SeDebugPrivilege 1324 msiexec.exe Token: SeAuditPrivilege 1324 msiexec.exe Token: SeSystemEnvironmentPrivilege 1324 msiexec.exe Token: SeChangeNotifyPrivilege 1324 msiexec.exe Token: SeRemoteShutdownPrivilege 1324 msiexec.exe Token: SeUndockPrivilege 1324 msiexec.exe Token: SeSyncAgentPrivilege 1324 msiexec.exe Token: SeEnableDelegationPrivilege 1324 msiexec.exe Token: SeManageVolumePrivilege 1324 msiexec.exe Token: SeImpersonatePrivilege 1324 msiexec.exe Token: SeCreateGlobalPrivilege 1324 msiexec.exe Token: SeBackupPrivilege 2040 vssvc.exe Token: SeRestorePrivilege 2040 vssvc.exe Token: SeAuditPrivilege 2040 vssvc.exe Token: SeBackupPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeRestorePrivilege 1580 DrvInst.exe Token: SeRestorePrivilege 1580 DrvInst.exe Token: SeRestorePrivilege 1580 DrvInst.exe Token: SeRestorePrivilege 1580 DrvInst.exe Token: SeRestorePrivilege 1580 DrvInst.exe Token: SeRestorePrivilege 1580 DrvInst.exe Token: SeRestorePrivilege 1580 DrvInst.exe Token: SeLoadDriverPrivilege 1580 DrvInst.exe Token: SeLoadDriverPrivilege 1580 DrvInst.exe Token: SeLoadDriverPrivilege 1580 DrvInst.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe Token: SeTakeOwnershipPrivilege 892 msiexec.exe Token: SeRestorePrivilege 892 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1324 msiexec.exe 1324 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 892 wrote to memory of 1996 892 msiexec.exe MsiExec.exe PID 892 wrote to memory of 1996 892 msiexec.exe MsiExec.exe PID 892 wrote to memory of 1996 892 msiexec.exe MsiExec.exe PID 892 wrote to memory of 1996 892 msiexec.exe MsiExec.exe PID 892 wrote to memory of 1996 892 msiexec.exe MsiExec.exe PID 1996 wrote to memory of 1648 1996 MsiExec.exe rundll32.exe PID 1996 wrote to memory of 1648 1996 MsiExec.exe rundll32.exe PID 1996 wrote to memory of 1648 1996 MsiExec.exe rundll32.exe PID 1648 wrote to memory of 1512 1648 rundll32.exe rundll32.exe PID 1648 wrote to memory of 1512 1648 rundll32.exe rundll32.exe PID 1648 wrote to memory of 1512 1648 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_29-12-2022_17-21-18.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 76AD7D86A871B627C12253A424F8037D2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI8DA3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7114316 1 test.cs!X1X3X2.Y1yY.Z3z1Z3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSIc07ee3e6.msi",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000490"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MSIc07ee3e6.msiFilesize
323KB
MD5460cf4e821b22e1b3df659a01ee8fb0a
SHA11c5ea14ff5f7be7e3d3a62a0d531fc7d0d0a3bf8
SHA256338c4e044fcd4f8b7429558c283eb13769e0e6afcbf14e9c6bc64d5cc9e3d79a
SHA512c7bf8859feb207a1178e82402c82c8e4dbaaeae1de4c5220f22a874a8d01fa1944ad91c1d3157bc3f6c1b964a8ac16ab8d00c65fbfdc5d67c7b390afcbe3aec4
-
C:\Windows\Installer\MSI8DA3.tmpFilesize
414KB
MD585d31c51c042a434aa8ae209fb5ce686
SHA1712f12f2f497cb911484456fc151db897eecff28
SHA256aac98ff611d211b36c5e9624a535abb3d3854764af0ab066252bccdf193e3365
SHA512a11d905583965d99ecf4256277ab17bea4e2214cde923db10ab90ab869459486d25f2f80abb9a748c8f68ace593d52ff8d08fccfb40f25bb41f9059036c448d5
-
\Users\Admin\AppData\Local\MSIc07ee3e6.msiFilesize
323KB
MD5460cf4e821b22e1b3df659a01ee8fb0a
SHA11c5ea14ff5f7be7e3d3a62a0d531fc7d0d0a3bf8
SHA256338c4e044fcd4f8b7429558c283eb13769e0e6afcbf14e9c6bc64d5cc9e3d79a
SHA512c7bf8859feb207a1178e82402c82c8e4dbaaeae1de4c5220f22a874a8d01fa1944ad91c1d3157bc3f6c1b964a8ac16ab8d00c65fbfdc5d67c7b390afcbe3aec4
-
\Windows\Installer\MSI8DA3.tmpFilesize
414KB
MD585d31c51c042a434aa8ae209fb5ce686
SHA1712f12f2f497cb911484456fc151db897eecff28
SHA256aac98ff611d211b36c5e9624a535abb3d3854764af0ab066252bccdf193e3365
SHA512a11d905583965d99ecf4256277ab17bea4e2214cde923db10ab90ab869459486d25f2f80abb9a748c8f68ace593d52ff8d08fccfb40f25bb41f9059036c448d5
-
\Windows\Installer\MSI8DA3.tmpFilesize
414KB
MD585d31c51c042a434aa8ae209fb5ce686
SHA1712f12f2f497cb911484456fc151db897eecff28
SHA256aac98ff611d211b36c5e9624a535abb3d3854764af0ab066252bccdf193e3365
SHA512a11d905583965d99ecf4256277ab17bea4e2214cde923db10ab90ab869459486d25f2f80abb9a748c8f68ace593d52ff8d08fccfb40f25bb41f9059036c448d5
-
memory/1324-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmpFilesize
8KB
-
memory/1512-66-0x0000000000000000-mapping.dmp
-
memory/1512-69-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1648-63-0x0000000001BB0000-0x0000000001BBA000-memory.dmpFilesize
40KB
-
memory/1648-64-0x0000000002000000-0x0000000002070000-memory.dmpFilesize
448KB
-
memory/1648-62-0x0000000001C40000-0x0000000001C6E000-memory.dmpFilesize
184KB
-
memory/1648-60-0x0000000000000000-mapping.dmp
-
memory/1996-56-0x0000000000000000-mapping.dmp